Solution management systems and methods for addressing cybersecurity vulnerabilities

ABSTRACT

Solution management systems and methods are presently disclosed that enable receiving, compiling, and analyzing vendor solutions, determining the vendor solutions that address a target vulnerability of a client network and/or client devices, determining additional vulnerabilities of the client network and/or client devices that the vendor solutions address, and selecting a vendor solution to remediate the target vulnerability. The presently disclosed systems and methods also enable scoring, risk evaluation, and additional metrics to facilitate determining the vendor solution(s) that have the largest impact and/or benefit to the various vulnerabilities of the client network and/or client devices.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims priority from and the benefit of U.S.Provisional Application Ser. No. 62/864,370, entitled “SolutionManagement Systems and Methods for Addressing CybersecurityVulnerabilities,” filed Jun. 20, 2019, which is hereby incorporated byreference in its entirety for all purposes.

This application is related to co-pending U.S. patent application Ser.No. ______, entitled “Solution Management Systems and Methods forAddressing Cybersecurity Vulnerabilities,” Attorney Docket No.(SERV:0938B), and to co-pending U.S. patent application Ser. No. ______,entitled “Solution Management Systems and Methods for AddressingCybersecurity Vulnerabilities,” Attorney Docket No. (SERV:0938C) whichis hereby incorporated by reference in its entirety for all purposes.

BACKGROUND

The present disclosure relates generally to addressing cybersecurityvulnerabilities, and more particularly to organizing, scoring,presenting, and applying solutions to cybersecurity vulnerabilities withefficacy.

This section is intended to introduce the reader to various aspects ofart that may be related to various aspects of the present disclosure,which are described and/or claimed below. This discussion is believed tobe helpful in providing the reader with background information tofacilitate a better understanding of the various aspects of the presentdisclosure. Accordingly, it should be understood that these statementsare to be read in this light, and not as admissions of prior art.

Organizations, regardless of size, rely upon access to informationtechnology (IT) and data and services for their continued operation andsuccess. A respective organization's IT infrastructure may haveassociated hardware resources (e.g. computing devices, load balancers,firewalls, switches, etc.) and software resources (e.g. productivitysoftware, database applications, custom applications, and so forth).Over time, more and more organizations have turned to cloud computingapproaches to supplement or enhance their IT infrastructure solutions.

Cloud computing relates to the sharing of computing resources that aregenerally accessed via the Internet. In particular, a cloud computinginfrastructure allows users, such as individuals and/or enterprises, toaccess a shared pool of computing resources, such as servers, storagedevices, networks, applications, and/or other computing based services.By doing so, users are able to access computing resources on demand thatare located at remote locations, which resources may be used to performa variety of computing functions (e.g., storing and/or processing largequantities of computing data). For enterprise and other organizationusers, cloud computing provides flexibility in accessing cloud computingresources without accruing large up-front costs, such as purchasingexpensive network equipment or investing large amounts of time inestablishing a private network infrastructure. Instead, by utilizingcloud computing resources, users are able redirect their resources tofocus on their enterprise's core functions.

Various components (e.g., computers, routers, devices, pieces ofsoftware, database tables, scripts, webpages, pieces of metadata,database instances, server instances, services, and so forth) of, forexample, a client network and/or client devices may be targeted bymalicious entities and develop cybersecurity vulnerabilities. To addressthese vulnerabilities, a variety of solutions may be developed. However,searching for the applicable solutions, determining the risks involvedin not applying each solution, determining a solution from among thoseavailable, and determining the impact of applying each solution on othercybersecurity vulnerabilities, may be a tedious, time-consuming,expensive, and ultimately inefficient process.

SUMMARY

A summary of certain embodiments disclosed herein is set forth below. Itshould be understood that these aspects are presented merely to providethe reader with a brief summary of these certain embodiments and thatthese aspects are not intended to limit the scope of this disclosure.Indeed, this disclosure may encompass a variety of aspects that may notbe set forth below.

Solution management systems and methods (e.g., in the context of acloud-based platform) are presently disclosed that enable receiving,compiling, and analyzing solutions, determining the solutions thataddress a target vulnerability of, for example, a client network and/orclient devices, determining additional vulnerabilities of the clientnetwork and/or client devices that the solutions address, and selectinga solution to address the target vulnerability. The presently disclosedsystems and methods also enable scoring, risk evaluation, and additionalmetrics to gauge the impact and/or efficacy of each solution across theclient network and/or client devices.

Various refinements of the features noted above may exist in relation tovarious aspects of the present disclosure. Further features may also beincorporated in these various aspects as well. These refinements andadditional features may exist individually or in any combination. Forinstance, various features discussed below in relation to one or more ofthe illustrated embodiments may be incorporated into any of theabove-described aspects of the present disclosure alone or in anycombination. The brief summary presented above is intended only tofamiliarize the reader with certain aspects and contexts of embodimentsof the present disclosure without limitation to the claimed subjectmatter.

BRIEF DESCRIPTION OF THE DRAWINGS

Various aspects of this disclosure may be better understood upon readingthe following detailed description and upon reference to the drawings inwhich:

FIG. 1 is a block diagram of an embodiment of a cloud architectureincluding a client network and client devices in which embodiments ofthe present disclosure may operate;

FIG. 2 is a schematic diagram of an embodiment of a multi-instance cloudarchitecture including a client instance in which embodiments of thepresent disclosure may operate;

FIG. 3 is a block diagram of a computing device utilized in a computingsystem that may be present in FIG. 1 or 2, in accordance with aspects ofthe present disclosure;

FIG. 4 is a block diagram illustrating an embodiment in which a virtualserver supports and enables the client instance of FIG. 2, in accordancewith aspects of the present disclosure;

FIG. 5 is a block diagram of a system that manages configuration items,vulnerabilities, and vendor solutions of the client network and/orclient devices of FIG. 1, according to embodiments of the presentdisclosure;

FIG. 6 is an example solution graph illustrating superseding vendorsolutions and the highest supersedence solutions, according toembodiments of the present disclosure;

FIG. 7 is an example solution graph illustrating vulnerabilities thatare remediated by vendor solutions, as well as inherited vulnerabilitiesthat are remediated by superseding vendor solutions, according toembodiments of the present disclosure;

FIG. 8 is an example solution graph that includes multiple solutiontrees or subgraphs that are connected to one another via sharedvulnerabilities, according to embodiments of the present disclosure;

FIG. 9 is an example solution graph that illustrates determiningsuitable vendor solutions, according to embodiments of the presentdisclosure;

FIG. 10 is an example user interface that displays a table of vendorsolutions, according to embodiments of the present disclosure;

FIG. 11 is an example solution graph illustrating impact andinterrelationships of vendor solutions, according to embodiments of thepresent disclosure;

FIG. 12 is a flow diagram illustrating a process for managing vendorsolutions to remediate vulnerabilities and/or vulnerable items,according to embodiments of the present disclosure;

FIG. 13 is a flow diagram illustrating a process for generating asolution graph, according to embodiments of the present disclosure; and

FIG. 14 is a flow diagram illustrating a process for selecting a vendorsolution, according to embodiments of the present disclosure.

DETAILED DESCRIPTION

One or more specific embodiments will be described below. In an effortto provide a concise description of these embodiments, not all featuresof an actual implementation are described in the specification. Itshould be appreciated that in the development of any such actualimplementation, as in any engineering or design project, numerousimplementation-specific decisions must be made to achieve thedevelopers' specific goals, such as compliance with system-related andenterprise-related constraints, which may vary from one implementationto another. Moreover, it should be appreciated that such a developmenteffort might be complex and time consuming, but would nevertheless be aroutine undertaking of design, fabrication, and manufacture for those ofordinary skill having the benefit of this disclosure.

As used herein, the term “computing system” refers to an electroniccomputing device such as, but not limited to, a single computer, virtualmachine, virtual container, host, server, laptop, and/or mobile device,or to a plurality of electronic computing devices working together toperform the function described as being performed on or by the computingsystem. As used herein, the term “medium” refers to one or morenon-transitory, computer-readable physical media that together store thecontents described as being stored thereon. Embodiments may includenon-volatile secondary storage, read-only memory (ROM), and/orrandom-access memory (RAM). As used herein, the term “application”refers to one or more computing modules, programs, processes, workloads,threads and/or a set of computing instructions executed by a computingsystem. Example embodiments of an application include software modules,software objects, software instances and/or other types of executablecode. As used herein, the term “configuration item” or “CI” refers to arecord for any component (e.g., computer, router, device, piece ofsoftware, database table, script, webpage, piece of metadata, databaseinstance, server instance, service, and so forth) in an enterprisenetwork, for which relevant data, such as manufacturer, vendor,location, or similar data, is stored in a database (e.g., a“configuration management database” or CMDB).

Various configuration items of, for example, a client network and/orclient devices may be targeted by malicious entities and developcybersecurity vulnerabilities. The presently disclosed systems andmethods include discovering and identifying such vulnerabilities byscanning the client network and/or client devices. To address thesevulnerabilities, a variety of solutions may be developed. In manyinstances, the solutions may be developed by vendors who provide theconfiguration items (such as operating system vendors, applicationvendors, service vendors, database vendors, and so on).

The presently disclosed solution management systems and methods (e.g.,in the context of a cloud-based platform) enable receiving, compiling,and analyzing the solutions, identifying the solutions that address atarget vulnerability of the client network and/or client devices,identifying additional vulnerabilities of the client network and/orclient devices that the solutions also address (or otherwise interactwith or impact), and selecting a solution to address the targetvulnerability. The presently disclosed systems and methods also enablescoring, risk evaluation, and additional metrics to gauge the impactand/or efficacy of each solution across the client network and/or clientdevices.

In some embodiments, the presently disclosed solution management systemsand methods enable users to browse relationships between solutions,publicly known and cataloged vulnerabilities, the vulnerabilities of theclient network and/or client devices, the configuration items, groupingsof vulnerable items, vendor-specific vulnerabilities of the clientnetwork and/or client devices, and so on. These relationships may bebrowsed from various perspectives, including that of the publicly knownand cataloged vulnerabilities, the vulnerabilities of the client networkand/or client devices, the solutions, the vulnerable item groups, andthe like. Moreover, the users may view metrics, scores, and/orcalculations illustrating a solution's impact to the variousvulnerabilities and configuration items of the client network and/orclient devices.

With the preceding in mind, the following figures relate to varioustypes of generalized system architectures or configurations that may beemployed to provide services to an organization in a multi-instanceframework and on which the present approaches may be employed.Correspondingly, these system and platform examples may also relate tosystems and platforms on which the techniques discussed herein may beimplemented or otherwise utilized. Turning now to FIG. 1, a schematicdiagram of an embodiment of a cloud computing system 10 whereembodiments of the present disclosure may operate, is illustrated. Thecloud computing system 10 may include a client network 12, a network 14(e.g., the Internet), and a cloud-based platform 16. In someimplementations, the cloud-based platform 16 may be a configurationmanagement database (CMDB) platform. In one embodiment, the clientnetwork 12 may be a local private network, such as local area network(LAN) having a variety of network devices that include, but are notlimited to, switches, servers, and routers. In another embodiment, theclient network 12 represents an enterprise network that could includeone or more LANs, virtual networks, data centers 18, and/or other remotenetworks. As shown in FIG. 1, the client network 12 is able to connectto one or more client devices 20A, 20B, and 20C so that the clientdevices are able to communicate with each other and/or with the networkhosting the platform 16. The client devices 20 may be computing systemsand/or other types of computing devices generally referred to asInternet of Things (IoT) devices that access cloud computing services,for example, via a web browser application or via an edge device 22 thatmay act as a gateway between the client devices 20 and the platform 16.FIG. 1 also illustrates that the client network 12 includes anadministration or managerial device, agent, or server, such as amanagement, instrumentation, and discovery (MID) server 24 thatfacilitates communication of data between the network hosting theplatform 16, other external applications, data sources, and services,and the client network 12. Although not specifically illustrated in FIG.1, the client network 12 may also include a connecting network device(e.g., a gateway or router) or a combination of devices that implement acustomer firewall or intrusion protection system.

For the illustrated embodiment, FIG. 1 illustrates that client network12 is coupled to a network 14. The networks 12, 14 may include one ormore computing networks, such as other LANs, wide area networks (WAN),the Internet, and/or other remote networks, to transfer data between theclient devices 20 and the network hosting the platform 16. Each of thecomputing networks within network 14 may contain wired and/or wirelessprogrammable devices that operate in the electrical and/or opticaldomain. For example, network 14 may include wireless networks, such ascellular networks (e.g., Global System for Mobile Communications (GSM)based cellular network), IEEE 802.11 networks, and/or other suitableradio-based networks. The network 14 may also employ any number ofnetwork communication protocols, such as Transmission Control Protocol(TCP) and Internet Protocol (IP). Although not explicitly shown in FIG.1, network 14 may include a variety of network devices, such as servers,routers, network switches, and/or other network hardware devicesconfigured to transport data over the network 14.

In FIG. 1, the network hosting the platform 16 may be a remote network(e.g., a cloud network) that is able to communicate with the clientdevices 20 via the client network 12 and network 14. The network hostingthe platform 16 provides additional computing resources to the clientdevices 20 and/or the client network 12. For example, by utilizing thenetwork hosting the platform 16, users of the client devices 20 are ableto build and execute applications for various enterprise, IT, and/orother organization-related functions. In one embodiment, the networkhosting the platform 16 is implemented on the one or more data centers18, where each data center could correspond to a different geographiclocation. Each of the data centers 18 includes a plurality of virtualservers 26 (also referred to herein as application nodes, applicationservers, virtual server instances, application instances, or applicationserver instances), where each virtual server 26 can be implemented on aphysical computing system, such as a single electronic computing device(e.g., a single physical hardware server) or across multiple-computingdevices (e.g., multiple physical hardware servers). Examples of virtualservers 26 include, but are not limited to a web server (e.g., a unitaryApache installation), an application server (e.g., unitary JAVA VirtualMachine), and/or a database server (e.g., a unitary relational databasemanagement system (RDBMS) catalog).

To utilize computing resources within the platform 16, network operatorsmay choose to configure the data centers 18 using a variety of computinginfrastructures. In one embodiment, one or more of the data centers 18are configured using a multi-tenant cloud architecture, such that one ofthe server instances 26 handles requests from and serves multiplecustomers. Data centers 18 with multi-tenant cloud architecturecommingle and store data from multiple customers, where multiplecustomer instances are assigned to one of the virtual servers 26. In amulti-tenant cloud architecture, the particular virtual server 26distinguishes between and segregates data and other information of thevarious customers. For example, a multi-tenant cloud architecture couldassign a particular identifier for each customer in order to identifyand segregate the data from each customer. Generally, implementing amulti-tenant cloud architecture may suffer from various drawbacks, suchas a failure of a particular one of the server instances 26 causingoutages for all customers allocated to the particular server instance.

In another embodiment, one or more of the data centers 18 are configuredusing a multi-instance cloud architecture to provide every customer itsown unique customer instance or instances. For example, a multi-instancecloud architecture could provide each customer instance with its owndedicated application server(s) and dedicated database server(s). Inother examples, the multi-instance cloud architecture could deploy asingle physical or virtual server 26 and/or other combinations ofphysical and/or virtual servers 26, such as one or more dedicated webservers, one or more dedicated application servers, and one or moredatabase servers, for each customer instance. In a multi-instance cloudarchitecture, multiple customer instances could be installed on one ormore respective hardware servers, where each customer instance isallocated certain portions of the physical server resources, such ascomputing memory, storage, and processing power. By doing so, eachcustomer instance has its own unique software stack that provides thebenefit of data isolation, relatively less downtime for customers toaccess the platform 16, and customer-driven upgrade schedules. Anexample of implementing a customer instance within a multi-instancecloud architecture will be discussed in more detail below with referenceto FIG. 2.

FIG. 2 is a schematic diagram of an embodiment of a multi-instance cloudarchitecture 100 where embodiments of the present disclosure mayoperate. FIG. 2 illustrates that the multi-instance cloud architecture100 includes the client network 12 and the network 14 that connect totwo (e.g., paired) data centers 18A and 18B that may be geographicallyseparated from one another and provide data replication and/or failovercapabilities. Using FIG. 2 as an example, network environment andservice provider cloud infrastructure client instance 102 (also referredto herein as a client instance 102) is associated with (e.g., supportedand enabled by) dedicated virtual servers (e.g., virtual servers 26A,26B, 26C, and 26D) and dedicated database servers (e.g., virtualdatabase servers 104A and 104B). Stated another way, the virtual servers26A-26D and virtual database servers 104A and 104B are not shared withother client instances and are specific to the respective clientinstance 102. In the depicted example, to facilitate availability of theclient instance 102, the virtual servers 26A-26D and virtual databaseservers 104A and 104B are allocated to two different data centers 18Aand 18B so that one of the data centers 18 acts as a backup data center.Other embodiments of the multi-instance cloud architecture 100 couldinclude other types of dedicated virtual servers, such as a web server.For example, the client instance 102 could be associated with (e.g.,supported and enabled by) the dedicated virtual servers 26A-26D,dedicated virtual database servers 104A and 104B, and additionaldedicated virtual web servers (not shown in FIG. 2).

Although FIGS. 1 and 2 illustrate specific embodiments of a cloudcomputing system 10 and a multi-instance cloud architecture 100,respectively, the disclosure is not limited to the specific embodimentsillustrated in FIGS. 1 and 2. For instance, although FIG. 1 illustratesthat the platform 16 is implemented using data centers, otherembodiments of the platform 16 are not limited to data centers and canutilize other types of remote network infrastructures. Moreover, otherembodiments of the present disclosure may combine one or more differentvirtual servers into a single virtual server or, conversely, performoperations attributed to a single virtual server using multiple virtualservers. For instance, using FIG. 2 as an example, the virtual servers26A, 26B, 26C, 26D and virtual database servers 104A, 104B may becombined into a single virtual server. Moreover, the present approachesmay be implemented in other architectures or configurations, including,but not limited to, multi-tenant architectures, generalizedclient/server implementations, and/or even on a single physicalprocessor-based device configured to perform some or all of theoperations discussed herein. Similarly, though virtual servers ormachines may be referenced to facilitate discussion of animplementation, physical servers may instead be employed as appropriate.The use and discussion of FIGS. 1 and 2 are only examples to facilitateease of description and explanation and are not intended to limit thedisclosure to the specific examples illustrated therein.

As may be appreciated, the respective architectures and frameworksdiscussed with respect to FIGS. 1 and 2 incorporate computing systems ofvarious types (e.g., servers, workstations, client devices, laptops,tablet computers, cellular telephones, and so forth) throughout. For thesake of completeness, a brief, high level overview of componentstypically found in such systems is provided. As may be appreciated, thepresent overview is intended to merely provide a high-level, generalizedview of components typical in such computing systems and should not beviewed as limiting in terms of components discussed or omitted fromdiscussion.

By way of background, it may be appreciated that the present approachmay be implemented using one or more processor-based systems such asshown in FIG. 3. Likewise, applications and/or databases utilized in thepresent approach may be stored, employed, and/or maintained on suchprocessor-based systems. As may be appreciated, such systems as shown inFIG. 3 may be present in a distributed computing environment, anetworked environment, or other multi-computer platform or architecture.Likewise, systems such as that shown in FIG. 3, may be used insupporting or communicating with one or more virtual environments orcomputational instances on which the present approach may beimplemented.

With this in mind, an example computer system may include some or all ofthe computer components depicted in FIG. 3. FIG. 3 generally illustratesa block diagram of example components of a computing system 200 andtheir potential interconnections or communication paths, such as alongone or more busses. As illustrated, the computing system 200 may includevarious hardware components such as, but not limited to, one or moreprocessors 202, one or more busses 204, memory 206, input devices 208, apower source 210, a network interface 212, a user interface 214, and/orother computer components useful in performing the functions describedherein.

The one or more processors 202 may include one or more microprocessorscapable of performing instructions stored in the memory 206. In someembodiments, the instructions may be pipelined from execution stacks ofeach process in the memory 206 and stored in an instruction cache of theone or more processors 202 to be processed more quickly and efficiently.Additionally or alternatively, the one or more processors 202 mayinclude application-specific integrated circuits (ASICs),field-programmable gate arrays (FPGAs), and/or other devices designed toperform some or all of the functions discussed herein without callinginstructions from the memory 206.

With respect to other components, the one or more busses 204 includesuitable electrical channels to provide data and/or power between thevarious components of the computing system 200. The memory 206 mayinclude any tangible, non-transitory, and computer-readable storagemedia. Although shown as a single block in FIG. 3, the memory 206 can beimplemented using multiple physical units of the same or different typesin one or more physical locations. The input devices 208 correspond tostructures to input data and/or commands to the one or more processors202. For example, the input devices 208 may include a mouse, touchpad,touchscreen, keyboard and the like. The power source 210 can be anysuitable source for power of the various components of the computingdevice 200, such as line power and/or a battery source. The networkinterface 212 includes one or more transceivers capable of communicatingwith other devices over one or more networks (e.g., a communicationchannel). The network interface 212 may provide a wired networkinterface, a wireless network interface, an optical interface, a quantumnetwork interface, and so on. A user interface 214 may include a displaythat is configured to display text or images transferred to it from theone or more processors 202. In addition and/or alternative to thedisplay, the user interface 214 may include other devices forinterfacing with a user, such as lights (e.g., LEDs), speakers, and thelike.

FIG. 4 is a block diagram illustrating an embodiment in which a virtualserver 300 supports and enables the client instance 102, according toone or more disclosed embodiments. More specifically, FIG. 4 illustratesan example of a portion of a service provider cloud infrastructure,including the cloud-based platform 16 discussed above. The cloud-basedplatform 16 is connected to a client device 20 via the network 14 toprovide a user interface to network applications executing within theclient instance 102 (e.g., via a web browser running on the clientdevice 20). Client instance 102 is supported by virtual servers 26similar to those explained with respect to FIG. 2, and is illustratedhere to show support for the disclosed functionality described hereinwithin the client instance 102. Cloud provider infrastructures aregenerally configured to support a plurality of end-user devices, such asclient device(s) 20, concurrently, wherein each end-user device is incommunication with the single client instance 102. Also, cloud providerinfrastructures may be configured to support any number of clientinstances, such as client instance 102, concurrently, with each of theinstances in communication with one or more end-user devices. Asmentioned above, an end-user may also interface with client instance 102using an application that is executed within a web browser.

With the preceding in mind, FIG. 5 is a block diagram of a system 400that manages configuration items, vulnerabilities, and vendor solutionsof the client network 12 and/or client devices 20, according toembodiments of the present disclosure. The system 400 may include aclient network 12 and/or client devices 20 having one or moreconfiguration items 402. The configuration items 402 may includephysical entities (e.g., computers, routers, or other devices), logicalentities (e.g., database instances, server instances, or otherinstances), and/or conceptual entities (e.g., requisition services,migration services, or other services). A configuration managementdatabase (CMDB) 404 may be used to manage the configuration items 402 bystoring configurations, attributes, descriptions, and/or any othersuitable information associated with the configuration items 402.

The system 400 may include the client instance 102, which may implementa solution management system 406 that is communicatively coupled to theCMDB 404 and may receive information about the configuration items 402of the client network 12 and/or client devices 20 from the CMDB 404. Thesolution management system 406 may communicatively couple to a knownvulnerabilities database 408 via, for example, the network 14. The knownvulnerabilities database 408 may include a listing of cybersecurityvulnerabilities 410 and be maintained by third parties. For example, theknown vulnerabilities database 408 may be part of the CommonVulnerabilities and Exposures (CVE) system that provides areference-method for publicly known information-security vulnerabilitiesand exposures.

The solution management system 406 may also be communicatively coupledto configuration item vulnerability scanning logic 411, which may scanthe configuration items 402 of the client network 12 and/or clientdevices 20 and determine the configuration items 402 that are associatedwith and/or have known vulnerabilities 410 (which may be referred to as“vulnerable items” 412). In some cases, the configuration itemvulnerability scanning logic 411 may be predictive in nature. Forexample, the configuration item vulnerability scanning logic 411 maydetermine software applications that a configuration item 402 hasinstalled, and predict that the configuration item 402 hasvulnerabilities 410 corresponding to the installed softwareapplications. In some embodiments, the configuration item vulnerabilityscanning logic 411 may be part of the solution management system 406,while in other embodiments, as illustrated, the configuration itemvulnerability scanning logic 411 may be external to the solutionmanagement system 406. For example, the configuration item vulnerabilityscanning logic 411 may be provided by a third party software vendor. Thevulnerable items 412 may be stored in a vulnerable items database 414.The configuration item vulnerability scanning logic 411 may periodically(e.g., daily, every other day, weekly, or any other suitable timeperiod) scan the client network 12 and/or client devices 20 forvulnerable items 412, though this may be configurable (e.g., updates mayoccur based on user initiation or any other suitable triggering event).Additionally, portions of vulnerability scanning logic 411 may alsoexist in/on the client network 12 and client devices 20. For example,the portion of the vulnerability scanning logic 411 in the clientinstance 102 may communicate or couple with scanning results over thenetwork 14.

The solution management system 406 may also communicatively couple tovarious vendor websites (or other sites or repositories) 416 via thenetwork 14 that provide vendor solutions 418 to the knownvulnerabilities listed in the known vulnerabilities database 408. Itshould be understood that further references to vendor websites 416include, without limitation, web application platform interfaces, XMLand/or JSON feeds, data warehouses, or any other web accessible dataservices. The vendors may be the developers and/or providers ofsoftware, such as operating systems or applications that are executed bythe client network 12 and/or client devices 20. The vendor solutions 418may be in the form of patches, workarounds, mitigation steps, or anyother suitable guidance that remediate (e.g., fix, solve, patch, orotherwise address) the known vulnerabilities. As an example, one vendorwebsite 416 may be maintained by the Microsoft® Security ResponseCenter, which may provide vendor solutions 418 to known vulnerabilitiesidentified by the CVE system.

Conventional approaches typically include users manually searching forvendor solutions 418 to the vulnerable items 412, determining the risksinvolved in not implementing each vendor solution 418, determining asuitable vendor solution 418, and determining the impact of applyingeach vendor solution 418 on other cybersecurity vulnerabilities. Suchapproaches are often tedious, time-consuming, expensive, andinefficient. For example, while determining the appropriate vendorsolution 418 to apply to a single vulnerable item 412 may be a simpleexercise, vendor solutions 418 may have far-reaching consequences whenconsidering a platform or enterprise level system, such as the clientnetwork 12 and/or client devices 20. This is because multiple vendorsolutions 418 may remediate a vulnerable item 412, and each vendorsolution 418 may span or affect multiple software applications, softwareversions, and/or operating systems (each of which may be developed byone or more vendors).

The solution management system 406 may include solution graph generationlogic 420 that generates a solution graph or tree 422 which illustratesor conceptualizes relationships between the vendor solutions 418 thatapply to the vulnerabilities 410 determined in the client network 12and/or client devices 20 (realized in the form of vulnerable items 412).In particular, the solution graph generation logic 420 may generate thesolution graph 422 based on solution supersedence and vulnerabilityinheritance. Supersedence refers to a first vendor solution 418superseding a second vendor solution 418, such that the first vendorsolution 418 remediates at least the same vulnerabilities 410 as thesecond vendor solution 418 (and possibly more vulnerabilities 410). Thismay occur because, for example, the second vendor solution 418 may be asoftware patch, and the first vendor solution 418 may be a newerrevision of the software patch. As another example, the second vendorsolution 418 may be a software patch that remediates a single vulnerableitem 412, and a vendor included or “rolled up” the second vendorsolution 418 into the first vendor solution 418, which remediatesmultiple vulnerable items 412 including the single vulnerable item 412.In the case where there is supersedence, a vendor may provide asupersedence (or precedence) “link” stating that the first vendorsolution 418 supersedes the second vendor solution 418 (or that thesecond vendor solution 418 supersedes the first vendor solution 418).

For example, FIG. 6 is an example solution graph 500 illustratingsuperseding vendor solutions, according to embodiments of the presentdisclosure. All the vendor solutions 418 in the solution graph 500 mayremediate a certain vulnerable item 412. The arrows 502 point tosuperseding vendor solutions. For example, a vendor solution 504 may notsupersede another vendor solution, as the vendor solution 504 does nothave an arrow 502 pointing at it. However, the vendor solution 504 issuperseded by two other vendor solutions 506, 508, as two arrows 502point from it to the other two vendor solutions 506, 508. As mentionedabove, the two vendor solutions 506, 508 may supersede the vendorsolution 504 because, for example, the vendor solutions 506, 508 may bea newer revision of a software patch represented by the vendor solution504, or the vendor solution 504 may be rolled up into the vendorsolutions 506, 508.

The solution graph 500 may include a variety of pathing, such as forking(e.g., from vendor solution 504 to the two vendor solutions 506, 508),converging (e.g., from vendor solutions 508, 510 to vendor solution512), branching, and so on. In the example solution graph 500, threevendor solutions 506, 514, 516 have highest supersedence in that each ofthe vendor solutions 506, 514, 516 are not superseded by another vendorsolution.

While the solution graph generation logic 420 may allow pathing todiverge from a single first vendor solution and eventually converge to asingle second vendor solution, in some embodiments, the solution graphgeneration logic 420 may “prune” or modify the pathing of the solutiongraph 500 to ensure that the solution graph 500 is directional such thatthe solution graph 500 may be walked or traveled from any vendorsolution to a vendor solution that is not superseded (e.g., a vendorsolution having highest supersedence 506, 514, 516 or “leaf node”,wherein each vendor solution of the solution graph 500 is a node). Thatis, the solution graph generation logic 420 may ensure that there areonly directional paths, and thus no cyclical paths, in the solutiongraph 500.

For example, the solution graph generation logic 420 may not allowcyclical pathing where supersedence passes through and returns to asingle vendor solution, as this may prevent determination of a solutiondue to endless traveling in the cyclical path or loop. If such arelationship is encountered, the solution graph generation logic 420 maybreak the path (e.g., as represented by an arrow 502) between two vendorsolutions at which the cyclical path is created. The solution graphgeneration logic 420 may also ensure that superseding vendor solutions(e.g., upstream of where the path is broken) not reference the vendorsolution at which the path is broken, and if so, the solution graphgeneration logic 420 may ignore or not map the relationship to thevendor solution.

While it may appear that implementing superseding vendor solutionsshould be favored to implementing vendor solutions that are notsuperseded, this is not always the case. For example, a vendor solutionthat is superseded may nevertheless be favored relative to a supersedingvendor solution because it has a more beneficial impact on the clientnetwork 12 and/or client devices 20, exposes the client network 12and/or client devices 20 to less risk, is less costly to implement,takes less time to implement, is less complicated to implement, and soon. As such, despite determining a favored vendor solution based onsupersedence, in some embodiments, the client instance 102 maynevertheless enable selection of other vendor solutions.

To facilitate accurate evaluation of vendor solutions 418, the solutiongraph generation logic 420 may also illustrate or conceptualizevulnerabilities that are remediated by the solutions in the solutiongraph, as well as vulnerability inheritance. Inheritance refers to theability of a superseding vendor solution remediating thosevulnerabilities that its preceding vendor solution(s) remediate. Forexample, FIG. 7 is an example solution graph 600 illustrating thevulnerabilities that are remediated by vendor solutions, as well asthose inherited vulnerabilities that are remediated by supersedingvendor solutions, according to embodiments of the present disclosure. Asillustrated, vendor solution 602 is superseded by vendor solution 604.Vendor solution 602 remediates vulnerability 606, and vendor solution604 remediates vulnerabilities 608, 610, as indicated by the solid lines612. The solution graph 600 also indicates the concept of vulnerabilityinheritance with respect to superseding vendor solution 604 via thedashed line 614, which illustrates that, because vendor solution 604supersedes vendor solution 602, which remediates vulnerability 606,vendor solution 604 also remediates vulnerability 606.

It should be understood that the solution graphs 500, 600 in FIGS. 6-7are examples used for explanatory purposes, and that, in practice,solution graphs may be much more complex due to having many moresolutions, vulnerabilities, and relationships. Additionally, it shouldbe understood that each vulnerability (indicated as “V”) and eachsolution (indicated as “S”) illustrated in the solution graphs of FIGS.6-9 and 11 represent a distinct vulnerability, and not the samevulnerability or solution appearing in multiple places in the respectivesolution graph. Moreover, more metrics or data than that shown in FIGS.6-7 may be used and integrated in order to score, rate the impact of,and/or determine vendor solution preference. As an example, FIG. 8 is anexample solution graph 700 that includes multiple solution trees orsubgraphs 702, 704, 706 that are connected to one another via sharedvulnerabilities 708, according to embodiments of the present disclosure.That is, the tree 702 includes one or more solutions (e.g., 710) thatremediate a vulnerability 708 that is also remediated by one or moresolutions (e.g., 712) of the tree 704. Similarly, the tree 704 includesone or more solutions (e.g., 714) that remediate a vulnerability 708that is also remediated by one or more solutions (e.g., 716) of the tree706.

There may also be segregation or optimization of data based on, forexample, sources of the data or timing of the availability of the data.For instance, in one embodiment, vendor solutions may be segregated byvendor, such that, if a first vendor makes a first solution available,and a second vendor makes a second solution available, the solutiongraph generation logic 420 may not allow supersedence between the twosolutions because the solutions come from different vendors. In anotherembodiment, when new or updated solutions are received by the solutionmanagement system 406 from the vendor websites 416, the solution graphgeneration logic 420 may only update vendor solutions, vulnerabilities,vulnerable items, and/or vulnerable item groups that are associated withthe new or updated solutions, while ignoring or not analyzing theremainder of the vendor solutions, vulnerabilities, vulnerable items,and/or vulnerable item groups that were not changed. Thus, any vendorsolution metrics, scores, ratings, solution preferences, and so forth,associated with the remaining vendor solutions, vulnerabilities,vulnerable items, and/or vulnerable item groups may remain unaffected,and the process of updating the solution graph may be more efficient.

Turning back to FIG. 5, the solution management system 406 may includesolution selection logic 424 that may automatically determine a vendorsolution to recommend or implement. In particular, for a givenvulnerability 410 or vulnerable item 412 (e.g., which may be selected bya user), the solution selection logic 424 may determine each vendorsolution 418 in the solution graph 422 that remediates the givenvulnerability 410 or vulnerable item 412. The solution selection logic424 may then determine a set of potential vendor solutions, e.g., theone or more highest supersedence vendor solutions for each determinedvendor solution. If the solution selection logic 424 determines a singlehighest supersedence vendor solution for the set of potential vendorsolutions, then the solution selection logic 424 may return or outputthe single highest supersedence vendor solution (e.g., the favored orsuggested vendor solution). If the solution selection logic 424determines more than one highest supersedence vendor solution for allthe determined vendor solutions, then the solution selection logic 424may not return or output a vendor solution, as it may be ambiguous whatthe suggested vendor solution is. In some embodiments, though, thesolution selection logic 424 may return all the determined potentialvendor solutions that include those that are the highest supersedencevendor solutions (e.g., based on a percentage or other thresholdcutoff), or a subset of the determined highest supersedence vendorsolutions based on any suitable metrics, user preferences, filters, andthe like. Additionally, if the solution selection logic 424 determinesthat there is not a favored vendor solution due to updated or new datafrom a solution import from the vendor websites 416, and the solutionselection logic 424 had previously determined that there was a favoredvendor solution based on older data, then the solution selection logic424 may remove or delete the previously determined favored vendorsolution for the vulnerability, vulnerable item, and/or the vulnerableitem groups so that information may stay current.

FIG. 9 is an example solution graph 800 that illustrates determiningsuitable vendor solutions, according to embodiments of the presentdisclosure. In particular, the solution selection logic 424 maydetermine a suitable or favored vendor solution by starting at a givenor selected vulnerability 410, and determining all the vendor solutions418 that remediate that vulnerability 410. For each of the vendorsolutions 418 that remediate the vulnerability 410, the solutionselection logic 424 follows the direction of supersedence arrowsconnected to a respective vendor solution 418 (and does not follow thepaths to any vulnerabilities 410). If following these paths of each ofthe vendor solutions 418 that remediate the vulnerability 410 leads tothe same, single vendor solution 418 (e.g., the same, single, highestsupersedence vendor solution), that vendor solution 418 is the suggestedor favored vendor solution.

For example, as illustrated, the solution graph 800 illustrates multiplefavored vendor solutions 802, 804, 806, 808 for respective givenvulnerabilities 812, 814, 816, 818 because the solution selection logic424 may identify, assign, or output each of the multiple favored vendorsolutions 802, 804, 806, 808 as the same, single highest supersedencevendor solution for the respective given vulnerabilities 812, 814, 816,818. However, for each of the other illustrated vulnerabilities (e.g.,820), there are more than one highest supersedence vendor solutions(e.g., 824). As such, the solution selection logic 424 may not identify,assign, or output a favored or suggested vendor solution.

Moreover, user preferences may modify the algorithmic determination ofthe vendor solution. That is, referring back to FIG. 5, in some cases, auser may favor one or more specific vendor solutions 418 for one or morevulnerabilities 410 and/or vulnerable items 412. This may be due topolicy constraints, because the vendor solution 418 is bundled withother patches that the user does not desire to apply, and so on. Assuch, the solution management system 406 may include solution lockinglogic 426 that enables a user to “lock” or force a vendor solution 418to remediate a given vulnerability 410 or vulnerable item 412. In such acase, when the solution management system 406 receives updated or newvendor solutions 418 from the vendor websites 416, the solutionselection logic 424 may not re-determine or refresh the locked vendorsolution as the user has indicated that it should be the selectedsolution for the given vulnerability 410 or vulnerable item 412.

Additionally or alternatively, the solution management system 406 mayinclude user preference logic 428 that enables a user to indicatepreferences for branches (e.g., paths of divergence) and/or vendorsolutions 418 (e.g., user-preferred branches and/or user-preferredvendor solutions) in the solution graph 422. For example, in someembodiments, solution display logic 430 may display a list of vendorsolutions 418 for the user to view (e.g., on the client device 20 viathe network 14) that remediate a selected vulnerability 410 orvulnerable item 412. The list may include any suitable details relevantto facilitate selecting a vendor solution 418 to remediate one or morevulnerabilities 410 or vulnerable items 412. As an illustrative example,FIG. 10 is an example user interface 900 that displays a table 902 ofvendor solutions 418, according to embodiments of the presentdisclosure. The solution display logic 430 may display the table 902 ona display of the client device 20. The table 902 provides informationassociated with the vendor solutions 418 that may facilitate selecting avendor solution 418 to remediate one or more vulnerabilities 410 orvulnerable items 412, including a descriptive summary or title 904 ofthe vendor solution 418, a bulletin 906 of the vendor solution 418 thatmay describe how the vendor solution 418 was provided or the source fromwhich the vendor solution 418 was supplied from, a product category 908associated with the product for which the vendor solution 418 wasprovided, a risk score 910 representing a risk to the client network 12and/or client devices 20 when not implementing the vendor solution 418,a risk rating 912 representing an alternative scale to evaluate the riskto the client network 12 and/or client devices 20 when not implementingthe vendor solution 418, a number 914 of active vulnerable items 412that may be remediated when implementing the vendor solution 418, apercent complete 916 associated with the number of vulnerable items 412already remediated compared to the number of total vulnerable items 412that may be remediated by the vendor solution 418, and a date published918 associated with when the vendor solution 418 was published. Itshould be understood that the table 902 may also list any other suitableinformation that may facilitate selecting a vendor solution 418 toremediate one or more vulnerabilities 410 or vulnerable items 412.

From the table 902, the user may select a vendor solution 418 toremediate a certain vulnerability 410 or vulnerable item 412, or allowthe solutions selection logic 424 to select or suggest a vendorsolution. In the cases in which the user selects a vendor solution 418,the user preference logic 428 may enable the user to set a user-favoredsolution that may be used by the solution selection logic 424 whendetermining a vendor solution. As such, the solution selection logic 424may only travel the branch of the solution graph 422 where theuser-favored solution exists when determining subsequent vendorsolutions.

The user may favor some branches and/or vendor solutions 418 to othersbecause, for example, the favored branches and/or vendor solutions 418have more beneficial impact on the client network 12 and/or clientdevices 20, expose the client network 12 and/or client devices 20 toless risk, are less costly to implement, take less time to implement,and so on. For instance, in a solution graph 422, one branch may resolvea vulnerability 410 by installing a newer major version of software,while another branch may patch an older major version of the softwarewhich the user may desire to keep using. As such, the user may set apreference for the branch that patches the older major version of thesoftware so that the client network 12 and/or client devices 20 maycontinue using the older major version of the software. In someembodiments, the user preference logic 428 may use machine learningtechniques to determine user preferences of branches and/or vendorsolutions 418 in the solution graph 422.

In some embodiments, the client instance may enable groupings ofvulnerable items 412 (“vulnerable item groups”). For example, a user mayselect and group together multiple vulnerable items 412 into avulnerable item group. The user preference logic 428 may treat userpreferences of branches and/or vendor solutions 418 for the vulnerableitems 412 in the vulnerable item group collectively. That is, the userpreference logic 428 may roll up user preferences of the vulnerableitems 412 in the vulnerable item group up to the level of the vulnerableitem group, and may facilitate selecting or displaying vendor solutionsbased on or that fit the user preferences.

Turning back to the system 400 illustrated in FIG. 5, to facilitateselecting a vendor solution 418 to remediate one or more vulnerabilities410 or vulnerable items 412, the solution management system 406 mayinclude solution analysis logic 432 that may facilitate determiningsolutions of high value and vulnerability exposure of the client network12 and/or client devices 20, as well as track the potential and progressof remediation of vulnerabilities 410 resolved by the vendor solutions418. For example, the solution analysis logic 432 may determine thenumber of total vulnerable items 412 that have been and/or may beremediated by each vendor solution 418, an active number of vulnerableitems 412 that may be (but not yet) remediated by each vendor solution418, a number of vulnerable items 412 that already have been remediatedby each vendor solution 418, a percentage of the active number ofvulnerable items 412 that may be (but not yet) remediated by each vendorsolution 418 to the number of total vulnerable items 412 that have beenand/or may be remediated by each vendor solution 418, and so on. Aspreviously discussed, at least some of these results may be displayed bythe solution display logic 430 in the table 902 shown in FIG. 10.

The solution analysis logic 432 may determine the number of distinctconfiguration items 402 associated with vulnerable items 412 that may beremediated by a selected or favored vendor solution 418, which mayindicate the number of devices and/or assets of the client network 12and/or client devices 20 that may be impacted by implementing the vendorsolution 418. During implementation of the vendor solution 418, thesolution analysis logic 432 may also or alternatively determine thenumber of distinct configuration items 402 that are associated withremediated vulnerable items 412, the number of distinct configurationitems 402 that are associated with vulnerable items 412 that are not yetremediated but may be remediated by the vendor solution 418, and apercent of distinct configuration items 402 remediated to indicate theprogress of implementing the vendor solution 418.

In some embodiments, the solution management system 406 may enable usersto defer or not apply a vendor solution 418 to selected configurationitems 402 and/or vulnerable items 412. This may be because, for example,the configuration items 402 and/or vulnerable items 412 are currentlybeing used, and the users do not desire for changes to be made to theconfiguration items 402 and/or vulnerable items 412 at the current time.As a result, the solution analysis logic 432 may take the deferredconfiguration items 402 and/or vulnerable items 412 into account whengenerating the numbers of configuration items 402 and/or vulnerableitems 412 remediated, to be remediated, and so on.

The solution analysis logic 432 may additionally or alternativelydetermine “potential solution targets”, which refer to vulnerabilities410 and/or vulnerable items 412 that may be resolved by a vendorsolution 418 indirectly (e.g., through supersedence and/or inheritanceas opposed to the vendor solution 418 being selected to directly applyto a targeted vulnerability 410 and/or vulnerable item 412). A vendorsolution's potential vulnerability targets, vulnerable item targets,and/or configuration item targets, may facilitate determining the impactof the vendor solution 418 across the client network 12 and/or clientdevices 20, and, consequently, the most impactful vendor solution 418from a set of potentially selectable vendor solutions 418.

FIG. 11 is an example solution graph 1000 illustrating impact and/orinteraction of vendor solutions 418, according to embodiments of thepresent disclosure. In particular, the solution graph 1000 illustratesor conceptualizes relationships between vendor solutions 418,vulnerabilities 410 remediated by the vendor solutions 418, andvulnerable items 412 associated with the vulnerabilities 410 (e.g.,configuration items 402 having the vulnerabilities 410). The solutionanalysis logic 432 may determine the most impactful vendor solutions1002 for each vulnerable item 412. That is, each most impactful vendorsolution 1002 may remediate the largest number of vulnerable items 412for a target vulnerable item 412, as illustrated by thedashed-and-dotted lines indicating potential solution relationships1004. In some embodiments, the solution analysis logic 432 may determinethe most impactful vendor solution 1006 for the entire solution graph1000, which remediates the largest number of vulnerable items 412 in thesolution graph 1000, as illustrated by the dashed-and-double-dottedlines indicating most impactful solution relationships 1008.

Turning back to FIG. 5, the solution management system 406 may includesolution risk evaluation logic 434 that may score, tabulate, rate, orotherwise evaluate the risk of not implementing vendor solutions 418 onthe client network 12 and/or client devices 20. That is the solutionrisk evaluation logic 434 may determine a risk to the client network 12and/or client devices 20 of the vulnerabilities 410 that may beremediated by a vendor solution 418. In some embodiments, the risk maybe provided on a scale of 0-100, where a high risk score indicates ahigh level of risk that deploying a vendor solution 418 would alleviatefrom the client network 12 and/or client devices 20. For example, thesolution risk evaluation logic 434 may calculate the risk score based onan 85% weight attributable to a maximum risk of a vulnerable item 412and the remaining 15% weight attributable to a logarithmic scale of anumber of total active vulnerable items 412 that may be remediated byimplementing the vendor solution 418. This calculation is provided as anexample, and it should be understood that any suitable routine(s) fordetermining risk alleviated by a vendor solution 418 is contemplated. Aspreviously discussed the risk score (e.g., 910) may be displayed by thesolution display logic 430 in the table 902 shown in FIG. 10.

Additionally or alternatively, the solution risk evaluation logic 434may determine a risk rating that scales the risk score from 1-5(corresponding to Critical, High, Medium, Low, and None). The riskrating may enable users to quickly evaluate the risk of vendor solutions418 at a glance. As previously discussed the risk rating (e.g., 912) maybe displayed by the solution display logic 430 in the table 902 shown inFIG. 10.

With the foregoing in mind, FIG. 12 is a flow diagram illustrating aprocess 1100 for managing vendor solutions 418 to remediatevulnerabilities 410 and/or vulnerable items 412, according toembodiments of the present disclosure. The process 1100 may beperformed, for example, by the system 400 of FIG. 5, and, moreparticularly, the client instance 102, the configuration itemvulnerability scanning logic 411, and/or the solution management system406. While the process 1100 is described using steps in a specificsequence, it should be understood that the present disclosurecontemplates that the describe steps may be performed in differentsequences than the sequence illustrated, and certain described steps maybe skipped or not performed altogether.

In process block 1102, the solution management system 406 receives alist of known vulnerabilities 410. In particular, the solutionmanagement system 406 may communicatively couple to the knownvulnerabilities database 408 via, for example, the network 14, as shownin FIG. 5. The known vulnerabilities database 408 may include a list ofcybersecurity vulnerabilities 410, which may be downloaded and/oraccessed by the solution management system 406.

In process block 1104, the solution management system 406 receives alist of configuration items 402 of a client network 12 and/or clientdevices 20. In particular, the solution management system 406 maycommunicatively couple to a configuration management database (CMDB) 404that manages the configuration items 402 by storing configurations,attributes, descriptions, and/or any other suitable informationassociated with the configuration items 402. As such, the solutionmanagement system 406 may receive a list of the configuration items 402of the client network 12 and/or client devices 20 from the CMDB 404.

In process block 1106, the configuration item vulnerability scanninglogic 411 determines vulnerable items 412 based on the knownvulnerabilities 410 and the configuration items 402. In particular, thesolution management system 406 may be communicatively coupled to aconfiguration item vulnerability scanning logic 411, as illustrated inFIG. 5, may scan the configuration items 402 of the client network 12and/or client devices 20, and determine the configuration items 402 thatare associated with and/or have the known vulnerabilities 410. Thedetermined vulnerable items 412 may be stored in a vulnerable itemsdatabase 414.

In process block 1108, the solution management system 406 generates orreceives a list of vendor solutions 418 for the vulnerable items 412. Inparticular, the solution management system 406 may communicativelycouple to various vendor websites (or other sites or repositories) 416via the network 14, as shown in FIG. 5. The vendor websites 416 mayprovide vendor solutions 418 to the known vulnerabilities 410 listed inthe known vulnerabilities database 408. As such, the solution managementsystem 406 may download or access the list of vendor solutions 418 fromthe vendor websites 416.

In process block 1110, the solution management system 406 generates asolution graph 422 associating the vendor solutions 418 with thevulnerable items 412. In particular, as previously discussed, thesolution graph generation logic 420 may generate the solution graph 422which illustrates or conceptualizes relationships between the vendorsolutions 418 that apply to the vulnerable items 412. As an example,FIG. 13 below is a flow diagram illustrating a process 1200 forgenerating the solution graph 422, according to embodiments of thepresent disclosure.

In process block 1112, the solution management system 406 performs anaction based on the solution graph 422 and generates an output based onperforming the action. For example, as shown in FIG. 5, the solutionselection logic 424 may display and/or select a vendor solution toimplement based on superseding vendor solutions. As another example, thesolution locking logic 426 may enable a user to “lock” or force a vendorsolution 418 to remediate a given vulnerability 410 or vulnerable item412, and/or select or enable selection of a displayed vendor solution418 to implement. The user preference logic 428 may enable a user toindicate preferences for branches (e.g., paths of divergence) and/orvendor solutions 418 in the solution graph 422, and select a vendorsolution 418 to implement based on the user preferences. The solutiondisplay logic 430 may list of vendor solutions 418 for the user to view(e.g., on the client device 20 via the network 14) that remediate aselected vulnerability 410 or vulnerable item 412, and/or enableselection of a displayed vendor solution 418 to implement. The solutionanalysis logic 432 may determine impact of each vendor solution 418and/or the most impactful vendor solution 418 (e.g., for a selectedvulnerability 410 or vulnerable item 412), and/or select or enableselection of the most impactful vendor solution 418 to implement. Thesolution risk evaluation logic 434 may determine a risk of notimplementing certain vendor solutions 418 on the client network 12and/or client devices 20, and/or select or enable selection of thevendor solution 418 that alleviates the most risk to implement. In thismanner, the process 1100 may manage vendor solutions 418 to remediatevulnerabilities 410, vulnerable items 412, and/or vulnerable itemgroups.

As mentioned above with respect to process block 1110, the solutiongraph generation logic 420 may generate the solution graph 422 whichillustrates or conceptualizes relationships between the vendor solutions418 that apply to the vulnerable items 412. FIG. 13 is a flow diagramillustrating a process 1200 for generating the solution graph 422,according to embodiments of the present disclosure. The process 1200 maybe performed, for example, by the system 400 of FIG. 5, and, moreparticularly, the solution graph generation logic 420 of the solutionmanagement system 406. While the process 1200 is described using stepsin a specific sequence, it should be understood that the presentdisclosure contemplates that the described steps may be performed indifferent sequences than the sequence illustrated, and certain describedsteps may be skipped or not performed altogether.

In process block 1202, the solution graph generation logic 420 plots avendor solution 418. In particular, the vendor solution 418 may be oneof the vendor solutions 418 identified from the vendor websites 416(e.g., in process block 1108 of the process 1100 of FIG. 12) andremediate one of the vulnerable items 412 of the client network 12and/or client devices 20 (e.g., as determined in process block 1106 ofthe process 1100 of FIG. 12 and stored in the vulnerable items database414). An example of plotting the vendor solution 418 may be viewed inthe example solution graphs 500, 600, 700 of FIGS. 6-8.

In decision block 1204, the solution graph generation logic 420determines whether there is a next vendor solution 418. For example, thesolution graph generation logic 420 may determine whether there isanother vendor solution 418 to plot in the solution graph 422 in thelist of vendor solutions received from the vendor websites 416 (e.g., inprocess block 1108 of the process 1100 of FIG. 12).

If there is no next vendor solution 418, then all vendor solutions 418have been plotted, and in process block 1206, the solution graphgeneration logic 420 returns the solution graph 422. If there is a nextvendor solution 418, then in decision block 1208, the solution graphgeneration logic 420 determines whether the next vendor solution 418supersedes and/or precedes one or more plotted vendor solutions 418. Ifthe next vendor solution 418 does not supersede and/or precede a plottedvendor solution 418, then in process block 1210, the solution graphgeneration logic 420 plots the next vendor solution 418, and returns todecision block 1204 to determine whether there is another vendorsolution 418 to plot.

If the next vendor solution 418 supersedes and/or precedes a plottedvendor solution 418, then in decision block 1212, the solution graphgeneration logic 420 determines whether plotting the next vendorsolution 418 would create a cyclical path. This is because cyclicalpaths, where a supersedence path may pass through and return to a singlevendor solution 418, may prevent determination of a solution 418 due toendless traveling in the cyclical path or loop. If plotting the nextvendor solution 418 would create a cyclical path, then, in process block1214, the solution graph generation logic 420 plots the next vendorsolution 418, but does not plot the supersedence/precedence that createsthe cyclical path. That is, the solution graph generation logic 420 maynot link the next vendor solution 418 to other plotted vendor solutions418 (and associated vulnerabilities 410) that would result in a cyclicalpath, thus avoiding a cyclical path in the solution graph 422. Theprocess 1200 then returns to decision block 1204 to determine whetherthere is another vendor solution 418 to plot.

If plotting the next vendor solution 418 would not create a cyclicalpath, then, in process block 1216, the solution graph generation logic420 plots the next vendor solution 418 superseding and/or preceding theone or more plotted vendor solutions 418. For example, as shown in theexample solution graph 500 of FIG. 6, the solution graph generationlogic 420 plots the vendor solution 506 as superseding the vendorsolution 504 using an arrow 502 pointing to the superseding vendorsolution 506.

In decision block 1218, the solution graph generation logic 420determines whether, for each respective vulnerability 410 remediated bythe next vendor solution 418, the respective vulnerability 410 isalready plotted. If not, then in process block 1220, the solution graphgeneration logic 420 plots the respective vulnerability 410. Forexample, as shown in the example solution graph 600 of FIG. 7, thesolution graph generation logic 420 plots the vulnerabilities 608, 610remediated by the vendor solution 604.

Then, or if the solution graph generation logic 420 determines that therespective vulnerability 410 is already plotted, in process block 1222,the solution graph generation logic 420 links the next vendor solution418 to the respective vulnerability 410. For example, as shown in theexample solution graph 600 of FIG. 7, the solution graph generationlogic 420 links the vulnerabilities 608, 610 to the vendor solution 604(via the solid lines 612).

In process block 1224, the solution graph generation logic 420 linksvulnerabilities 410 that are remediated by vendor solutions 418 thatprecede the next vendor solution 418 (referred to herein as “precedingvulnerabilities”) to the next vendor solution 418, and links therespective vulnerabilities 410 of the next vendor solution 418 tosuperseding vendor solutions 418. In particular, the preceding vendorsolutions 418 are those vendor solutions 418 that are superseded by thenext vendor solution 418, whose relationships to the next vendorsolution 418 were plotted in process block 1216. For example, as shownin the example solution graph 600 of FIG. 7, for the vendor solution604, the solution graph generation logic 420 links the precedingvulnerability 606 of the preceding vendor solution 602 to the vendorsolution 604 (via the dashed line 614). Similarly, for the vendorsolution 602, the solution graph generation logic 420 links therespective vulnerability 606 to the superseding vendor solution 604 ofthe vendor solution 602 (via the dashed line 614). In this manner, theprocess 1200 may generate the solution graph 422.

Moreover, in some embodiments, a user may “lock” or force a vendorsolution 418 to remediate a given vulnerability 410 or vulnerable item412 (e.g., via the solution locking logic 426 of the solution managementsystem 406). In such a case, the solution graph generation logic 420 mayskip certain steps of the process 1200, such as linking vulnerabilities410 to vendor solutions 418 in process blocks 1222 and/or 1224 if thevulnerabilities 410 include the given vulnerability 410, as the user hasindicated that it should be a selected or favored vendor solution 418that should be implemented for the given vulnerability 410. Moreover,locking vulnerabilities 410 may be independently applied to lockingvulnerable items 412. For example, the solution locking logic 426 maylock a vulnerability 410 to a particular vendor solution 418, whilelocking a vulnerable item 412 that is associated with the vulnerability410 to a different vendor solution 418 than the vulnerability 410 islocked.

As mentioned above with respect to process block 1112, the solutionselection logic 424 may select a vendor solution using the solutiongraph 422 and based on superseding vendor solutions. FIG. 14 is a flowdiagram illustrating a process 1300 for selecting a vendor solution,according to embodiments of the present disclosure. The process 1300 maybe performed, for example, by the system 400 of FIG. 5, and, moreparticularly the solution selection logic 424 of the solution managementsystem 406. While the process 1300 is described using steps in aspecific sequence, it should be understood that the present disclosurecontemplates that the describe steps may be performed in differentsequences than the sequence illustrated, and certain described steps maybe skipped or not performed altogether.

In process block 1302, the solution selection logic 424 receives aselection of a vulnerability 410. In particular, the solution selectionlogic 424 may enable a user to select a vulnerability 410 (or avulnerable item 412).

In process block 1304, the solution selection logic 424 determines oneor more vendor solutions 418 that remediate the selected vulnerability410. As mentioned previously with respect to process block 1108 of FIG.12, the solution management system 406 receives a list of vendorsolutions 418 for the vulnerable items 412 of the client network 12and/or client devices 20. As such, the solution selection logic 424 maydetermine those vendor solutions 418 on the list of vendor solutions 418that remediate the selected vulnerability 410.

In process block 1306, for each determined vendor solution 418, thesolution selection logic 424 determines the highest supersedence vendorsolution. For example, the solution graph 800 of FIG. 9 illustratesmultiple favored vendor solutions 802, 804, 806, 808 for respectivegiven vulnerabilities 812, 814, 816, 818 because the solution selectionlogic 424 may identify, assign, or output each of the multiple vendorsolutions 802, 804, 806, 808 as a highest supersedence vendor solutionfor the respective given vulnerabilities 812, 814, 816, 818. However,for each of the other illustrated vulnerabilities (e.g., 820), there aremore than one highest supersedence vendor solution (e.g., 824).

In decision block 1308, the solution selection logic 424 determineswhether there is more than one highest supersedence vendor solution forthe selected vulnerability 410. In particular, and as shown in theexample solution graph 800 of FIG. 9, for each of the vendor solutions418 that remediate a vulnerability 410, the solution selection logic 424may follow the direction of supersedence arrows connected to arespective vendor solution 418 (and does not follow the paths to anyvulnerabilities 410). The solution selection logic 424 may determinewhether following the paths of each vendor solution 418 that remediatesthe vulnerability 410 ultimately leads to more than one vendor solution418.

If the solution selection logic 424 determines that there is more thanone highest supersedence vendor solution for the selected vulnerability410, then in process block 1310, the solution selection logic 424 doesnot output a suggested or favored vendor solution, as it may beambiguous what the suggested or favored vendor solution is. As anexample, for each of the vulnerabilities 820 of the solution graph 800of FIG. 9, there is more than one highest supersedence vendor solution(e.g., 824). As such, the solution selection logic 424 does not output avendor solution if the user selects one of the vulnerabilities 820.Instead, the solution selection logic 424 may output an indication(e.g., an error message indicating) that there is no single favoredvendor solution. In some embodiments, though, the solution selectionlogic 424 may return all applicable vendor solutions 418 (including anindication of which of the vendor solutions 418 are of highestsupersedence), the highest supersedence vendor solutions, or a subset ofthe applicable vendor solutions 418 based on any suitable metrics oruser preferences. This may be for the user to view and choose a vendorsolution from the multiple identified vendor solutions to implement.Additionally, if the solution selection logic 424 determines that thereis not a favored or suggested vendor solution due to updated or new datafrom a solution import from the vendor websites 416, and the solutionselection logic 424 had previously determined that there was a favoredvendor solution based on older data, then the solution selection logic424 may remove or delete the previously determined favored vendorsolution so that information may stay current.

If the solution selection logic 424 determines that there is only onehighest supersedence vendor solution for the selected vulnerability 410,then in process block 1312, the solution selection logic 424 outputs thehighest supersedence vendor solution. For example, referring back toFIG. 9, for the vulnerability 814, there is only one highestsupersedence vendor solution (e.g., 804). As such, the solutionselection logic 424 outputs a highest supersedence vendor solution 804as the favored or suggested vendor solution. In this manner, the process1300 selects and/or enables selection of a vendor solution to implement.

In additional or alternative embodiments, user preference logic 428 ofthe solution management system 406 may enable a user to indicatepreferences for branches (e.g., paths of divergence) and/or vendorsolutions 418 in the solution graph 422. For example, the user mayindicate a preference for a vendor solution 418, and the solutionselection logic 424 may only travel the branch of the solution graph 422where the user-favored solution exists when determining favored orsuggested vendor solutions.

The user may favor some branches and/or vendor solutions 418 to othersbecause, for example, the favored branches and/or vendor solutions 418have more beneficial impact on the client network 12 and/or clientdevices 20, expose the client network 12 and/or client devices 20 toless risk, are less costly to implement, take less time to implement,and so on. For instance, in a solution graph 422, one branch may resolvea vulnerability 410 by installing a newer major version of software,while another branch may patch an older major version of the softwarewhich the user may desire to keep using. As such, the user may set apreference for the branch that patches the older major version of thesoftware so that the client network 12 and/or client devices 20 maycontinue using the older major version of the software. In someembodiments, the user preference logic 428 may use machine learningtechniques to determine user preferences of branches and/or vendorsolutions 418 in the solution graph 422.

It should be understood that the term “logic” as used in the presentdisclosure, and indeed all components of the system 400, may beimplemented in software (e.g., machine-readable and/orprocessor-executable instructions, including firmware), hardware (e.g.,circuitry), or both.

The specific embodiments described above have been shown by way ofexample, and it should be understood that these embodiments may besusceptible to various modifications and alternative forms. It should befurther understood that the claims are not intended to be limited to theparticular forms disclosed, but rather to cover all modifications,equivalents, and alternatives falling within the spirit and scope ofthis disclosure.

The techniques presented and claimed herein are referenced and appliedto material objects and concrete examples of a practical nature thatdemonstrably improve the present technical field and, as such, are notabstract, intangible or purely theoretical. Further, if any claimsappended to the end of this specification contain one or more elementsdesignated as “means for [perform]ing [a function] . . . ” or “step for[perform]ing [a function] . . . ”, it is intended that such elements areto be interpreted under 35 U.S.C. 112(f). However, for any claimscontaining elements designated in any other manner, it is intended thatsuch elements are not to be interpreted under 35 U.S.C. 112(f).

1. A cloud computing system comprising: one or more data centers; aclient instance hosted by the one or more data centers; a communicationnetwork accessible by the client instance; one or more client devicesaccessing the client instance; one or more client networks enablingcommunication with the client instance by the one or more client devicesvia the communication network, wherein the one or more client devicesand one or more client networks comprise a plurality of configurationitems; a vulnerabilities database communicatively coupled to the clientinstance, wherein the vulnerabilities database stores a list ofvulnerabilities associated with configuration items of the plurality ofconfiguration items; and one or more vendor websites communicativelycoupled to the client instance via the communication network, whereinthe one or more vendor websites provide vendor solutions tovulnerabilities present on the list of vulnerabilities associated withthe plurality of configuration items; wherein the client instance isconfigured to receive a solution graph associating the vendor solutionswith respective vulnerabilities addressed by each vendor solution, andwherein the client instance comprises solution risk evaluation logicconfigured to evaluate a risk associated with each vendor solution. 2.The cloud computing system of claim 1, wherein the risk is associatedwith not implementing a respective vendor solution.
 3. The cloudcomputing system of claim 1, wherein the risk is associated with therespective vulnerabilities addressed by a respective vendor solution. 4.The cloud computing system of claim 1, wherein the solution riskevaluation logic is configured to provide a risk score based on: amaximum risk of a vulnerability; and a number of vulnerabilities that avendor solution is configured to remediate.
 5. The cloud computingsystem of claim 1, wherein the client instance comprises solution graphgeneration logic configured to: generate the solution graph; and updateonly a portion of the solution graph associated with new vendorsolutions in response to receiving the new vendor solutions.
 6. Thecloud computing system of claim 5, wherein a remaining portion of thesolution graph is unchanged prior to and after updating only the portionof the solution graph associated with the new vendor solutions.
 7. Thecloud computing system of claim 1, wherein the client instance isconfigured to enable implementation of a respective vendor solution inresponse to determining that the risk of not implementing the respectivevendor solution is higher than risks of not implement other vendorsolutions.
 8. A tangible, non-transitory, machine-readable-medium,comprising machine-readable instructions that, when executed by aprocessor, cause the processor to perform acts comprising: receive asolution graph associating vendor solutions with a plurality ofvulnerabilities of a plurality of configuration items, wherein theplurality of configuration items comprise one or more client networks,one or more client devices communicatively coupled to the one or moreclient networks, or both; and evaluate a risk associated with one ormore vulnerabilities of the plurality of vulnerabilities that areassociated with a vendor solution
 9. The tangible, non-transitory,machine-readable-medium of claim 8, wherein the machine-readableinstructions cause the processor to provide a risk rating associatedwith not implementing the vendor solution.
 10. The tangible,non-transitory, machine-readable-medium of claim 9, wherein themachine-readable instructions cause the processor to provide the riskrating on a scale of 1 to
 5. 11. The tangible, non-transitory,machine-readable-medium of claim 9, wherein the machine-readableinstructions cause the processor to display the risk rating.
 12. Thetangible, non-transitory, machine-readable-medium of claim 8, whereinthe machine-readable instructions cause the processor to determine anddisplay a number of vulnerabilities of the plurality of vulnerabilitiesassociated with the plurality of configuration items that the vendorsolution is configured to remediate.
 13. The tangible, non-transitory,machine-readable-medium of claim 8, wherein the machine-readableinstructions cause the processor to determine and display a completionpercentage associated with a number of vulnerabilities of the pluralityof vulnerabilities associated with the plurality of configuration itemsthat the vendor solution has remediated compared to a total number ofvulnerabilities of the plurality of vulnerabilities that the vendorsolution is configured to remediate.
 14. The tangible, non-transitory,machine-readable-medium of claim 8, wherein the machine-readableinstructions cause the processor to implement the vendor solution inresponse to determining that the risk associated with the one or morevulnerabilities associated with the vendor solution is higher than risksassociated with vulnerabilities associated with other vendor solutions.15. A client instance hosted by one or more data centers, wherein theclient instance is configured to: communicate with a communicationnetwork, wherein the communication network is configured to communicatewith one or more client networks, a vulnerabilities database, and one ormore vendor websites, wherein the one or more client networks areconfigured to communicate with one or more client devices, wherein theone or more client networks, the one or more client devices, or both,comprise one or more configuration items, wherein the vulnerabilitiesdatabase stores a list of vulnerabilities associated with the one ormore configuration items, and wherein the one or more vendor websitesprovide vendor solutions to a plurality of vulnerabilities of the listof vulnerabilities; and receive a solution graph associating the vendorsolutions with the plurality of vulnerabilities; wherein the clientinstance comprises solution risk evaluation logic configured to evaluatea risk associated with a vendor solution.
 16. The client instance ofclaim 15, wherein the risk is associated with one or morevulnerabilities of the plurality of vulnerabilities, wherein the vendorsolution is configured to remediate the one or more vulnerabilities. 17.The client instance of claim 16, wherein the solution risk evaluationlogic is configured to provide a risk score associated with the one ormore vulnerabilities.
 18. The client instance of claim 17, wherein therisk score is provided on a scale of 1 to
 100. 19. The client instanceof claim 17, wherein a high risk score indicates a high level of risk ofthe one or more client networks, the one or more client devices, orboth, that would be alleviated by deploying the vendor solution.
 20. Theclient instance of claim 17, comprising solution display logicconfigured to display the risk score.